Yahoo has had to bear bad news story after bad news story for some years now but, even by those standards, the past six months have been trying.
On July 25th, Verizon agreed to buy the company for $4.8 billion. Two months later, Yahoo announced that half a billion user records were hacked back in 2014. Then, just two weeks after that, news broke that Yahoo secretly searched customer emails in 2015 for U.S. intelligence organizations. As a result, Verizon said it wanted a billion-dollar discount on the deal, which amounted to a whopping 20% off.
And now, a few months down the line, Yahoo has disclosed what is thought to be the biggest breach yet, which has led to reports that the Verizon deal could be scuttled altogether.
The implications of Yahoo’s breach and alleged espionage activities will continue to unfold in the coming months. But for now, chief information security officers (CISOs) should take three core lessons on board.
The CISO’s role in M&A should expand: When it comes to M&A, most CISOs tend to spend their time trying to get a head start on post-deal integration, revise the information security team’s strategic plan, or assess the acquisition target’s information security practices. None of these are typically core M&A activities and rarely make a material impact on a deal’s outcome.
This should change. The Yahoo news suggests CISOs belong at the table to evaluate, advise on, and even help negotiate M&A deals. The CISO’s role in M&A should be to manage information risks associated with deals — including breaches the target may be (knowingly or unknowingly) sitting on, illegal or embarrassing data handling practices by the target, etc — and then use that knowledge to inform how the deal progresses. While CISOs cannot be personally responsible for breaches that occur at acquisition targets, they do have expertise that can help senior leaders manage the impact of cyber crises on M&A deals.
CISOs also play a critical role in helping the senior M&A team understand how information risks associated with M&A can manifest as business risks with poor financial outcomes. Being able to make this connection will paint the CISO as a necessary participant in M&A negotiations, and not just someone to provide a compliance check or help integrate important processes.
The CISO-board relationship needs to go beyond “protect, detect, respond, recover”: Traditionally, the CISO’s relationship to the board is that of assurance provider. CISOs currently spend 15%-20% of their time preparing for, delivering, and following up on board presentations that build the board’s confidence in the firm’s cybersecurity program — a task that often boils down to showing how Information Security can protect against, detect, respond to, and recover from data breaches.
This type of CISO-board interaction is far too narrow and misses large business risks — such as making a bad M&A deal — that derive from information risks.
Looking to the future, CISOs should balance providing assurance to the board with higher-value governance discussions. These conversations include:
Define (and modify as necessary) the CISO’s role in M&A.
Discuss business risks (that derive from information risks) associated with specific M&A targets.
Update Information Security’s strategy to support digitization efforts.
Identify ways Information Security can create top-line value, not just reduce bottom-line losses.
As the rocky Yahoo-Verizon deal demonstrates, information risk is more complex than just avoiding and responding to breaches (as difficult as that is). Information risk management failures can impact all aspects of the business, including major M&A deals, ability to execute digitization strategies, etc. That is, information risk pervades almost all aspects of business activities, all the way up to board-level governance conversations. CISOs’ board reporting should reflect the full and broad business risk implications of information risk — not just the cybersecurity program.
The true costs of cyber breaches can exceed expectations: That cyber crises, such as data breaches, can be expensive is common knowledge. But the conventional wisdom also holds that major data breaches in the news are remarkably less costly to organizations than outsiders might expect. Costs are often contained to a short period of time, and organizations typically recover (stock price, revenue, etc.) in weeks or months, not years — individual costs, such as job loss, notwithstanding.
The Yahoo breaches, however, show that costs can spiral quickly to far higher levels. Verizon is likely to get a significant discount on its acquisition of Yahoo, the basis of which would be Yahoo’s massive breach. In fact, the current news suggests the total cost implications of the breach may well exceed a whopping $1 billion, suggesting we may witness the first “billion dollar breach.”
This development underscores a critical aspect of understanding cyber crisis costs. The largest costs are often indirect and unrelated to the direct costs of responding to and recovering from breaches. In Yahoo’s case, the most significant cost of the breach will likely be its implications for the Verizon deal, not the legal costs, fines, or consultant fees associated with the direct response to the breach itself.